Category: Deception & Impersonation
Homograph attacks (lookalike characters) in the browser
A homograph attack uses lookalike characters (often from different alphabets) to create a domain that visually resembles a trusted brand.
Quick answer
Even careful readers can miss character-level tricks, and the browser bar may look “right enough” to pass a quick glance.
For risky links and login flows, isolation keeps the page off the endpoint by running it in a disposable container and streaming only the rendered output to the user.
When you need this
- You’ve seen indicators of this threat in your environment.
- Users frequently click unknown links as part of daily work.
- You need a control that reduces risk without relying on perfect user judgment.
Last updated
2026-01-29
How it usually happens in the browser
- An attacker registers an internationalized domain name (IDN) using visually similar characters.
- Victims receive a link or search result that appears identical to the real domain.
- The attacker serves a cloned login page or a fake download/support portal.
- Credentials, tokens, or payment details are captured and reused elsewhere.
What traditional defenses miss
- Human URL inspection fails when characters are visually indistinguishable.
- Blocklists may not include every IDN variant of a popular brand.
- Security awareness training rarely covers IDN/punycode nuances in a memorable way.
How isolation changes the game
- Isolation treats unknown destinations as risky by default and keeps active content away from the endpoint.
- Policy can combine domain reputation signals with isolation for “unknown/IDN-heavy” destinations.
- Disposable sessions reduce exposure from follow-on downloads and embedded scripts used in these lures.
Operational checklist
- Force unknown domains into isolation; consider stricter handling for IDN destinations if your environment permits.
- Promote bookmark-based access for critical apps; avoid “type the URL” workflows.
- Use password managers that validate the exact domain before autofill.
- Monitor for lookalike registrations of your brand and major vendors used by your org.
- Train users on the rule: if the login prompt is unexpected, stop and verify via official entry points.
FAQs
What is punycode?
Punycode is a way to represent internationalized domain names in ASCII. Browsers may show the Unicode form, which can enable lookalike character tricks.
Are homograph attacks common?
They’re used when attackers want high trust with low effort—especially against popular brands and identity portals.
Will a certificate warning appear?
Not necessarily. Attackers can obtain valid TLS certificates for their lookalike domains.
What’s the best defense?
Reduce reliance on human URL inspection: use allowlists/bookmarks, strong auth, and isolate unknown browsing by default.